How do you implement A.5.1 in Microsoft 365?

A.5.1 Policies for Information Security can be implemented in Microsoft 365 using Microsoft Entra admin center > Protection > Conditional Access > Terms of use. Contact Global Micro Solutions for a detailed implementation guide.

What does an auditor check for A.5.1?

Auditors verify that A.5.1 Policies for Information Security is properly implemented by reviewing evidence from your M365 tenant, checking configuration against ISO 27001 requirements, and validating compliance documentation.

ISO 27001 A.5.1: Policies for Information Security — M365 Implementation Guide | Global Micro Solutions

What is this control?

ISO 27001 control A.5.1 Policies for Information Security requires organisations to establish a management-approved framework of information security policies that provides direction and support for information security. This control ensures that all policies are formally approved, published to a central repository, communicated to relevant personnel with acknowledgement captured, and reviewed at planned intervals. For Microsoft 365 environments, policy attestation is enforced through Microsoft Entra Terms of Use integrated with Conditional Access, requiring users to formally accept policies before accessing organisational resources.

How to implement in Microsoft 365

Implement A.5.1 by establishing a policy governance framework with clear ownership and approval processes. Publish all ISMS policies to a version-controlled SharePoint Online site as the single source of truth. Configure Microsoft Entra Terms of Use to require formal acceptance of key policies, then create Conditional Access policies that enforce Terms of Use acceptance as a grant control.

Enable audit logging to capture user acceptance with timestamp and device information. Configure re-acceptance frequency (recommend annually or upon policy update). Maintain a policy register in ISMSOnline or equivalent tracking ownership, version, approval date, and review schedule.

Review all policies annually or when significant changes occur to business operations, technology, or regulatory requirements.

What an auditor looks for

Auditors will verify that a formal policy governance framework exists with documented ownership for each policy. They will check that at least one Terms of Use policy is configured in Microsoft Entra ID and enforced via Conditional Access. They will review user attestation records to confirm at least 95% acceptance rate, identifying any users who have not accepted.

Auditors will examine the policy register to verify all policies have been reviewed within the last 12 months, have documented approvers, and show version history. They will also verify that CIS Benchmark assessments are configured in Microsoft Purview Compliance Manager for M365, Azure, and Intune configurations.

M365 capabilities that implement this control

CIS Microsoft 365 Foundations benchmark settings for SharePoint Online

CIS Microsoft 365 Foundations benchmark settings for Microsoft Teams

CIS Microsoft 365 Foundations benchmark settings for OneDrive for Business

What is this control?

How to implement in Microsoft 365

What an auditor looks for

Related controls

M365 capabilities that implement this control